Unfortunately, in our increasingly “joined up” world, our personal details are often being shared without our knowledge or consent.  If you regularly make online purchases, then before long your details will find their way into the hands and laptops of scammers.  

As a result, we are all more aware than ever before of the importance of protecting our personal information and being cautious with whom we share our details.  This is a necessary precaution if we want to enjoy the benefits of the technology we use.  

As the providers of Flexi-Grant® we accept that we have a clear responsibility to ensure that the (often sensitive) data that is collected and stored by our clients through our software is secure and as well protected as it can be. 

We believe that it is NOT enough to simply SAY that your data is secure, rather we believe it is important to PROVE this during selection. So, you can imagine our continuing surprise, frustration and amazement over the past few years when a significant number of prospective clients have repeatedly chosen to ignore, avoid or curtail our attempts to discuss the importance of data security and our ongoing efforts to provide this.  

Why is security not front and centre in EVERY systems selection?  Why is a conversation often avoided?  If you are not prepared to make time to talk about the important stuff then what is the point of us engaging in a protracted selection process? (And yes, when important conversations are avoided often the process strangely takes longer than it should to complete!)

A few timely questions to gather evidence on the security of the system being procured (and we mean ALL systems not just grant management systems!) is a vital step in any system selection process.  This needs to be more than just a few passing questions at the tail end of a demonstration to put a tick in a box but a dedicated segment/session in its own right!  

It’s easy and tempting to cut corners with many different stakeholders perhaps focusing on different things and time pressures mounting but security cannot EVER be ignored.  Accompanying this article is a very simple set of questions to help you ensure that you are getting the information you need to assure the system you are examining is secure.  

It is NOT meant to be a definitive list of everything you should ask and explore but hopefully it goes some way to starting an essential conversation!   This checklist and any security conversation should be built on the following guiding principles:

1. Look for PROOF and EVIDENCE to support any claim of standards, security practices and robustness. We are aware of suppliers who do not invest in security and who have been compromised yet who still win large contracts!  We would say when this happens the supplier has failed but the BUYER has failed even more. The proverb “Caveat Emptor”(Buyer beware) has stood the test of time and reminds any buyer that they typically have less information than the seller on the goods and services they are procuring. Common sense says that the buyer should therefore look for the defects and weaknesses that might not be obvious at first and ask direct questions.

• You should work with suppliers that prioritise security! It seems obvious but system security is an ever changing landscape and only by working with suppliers who ‘bake’ security into all their processes from concept, design through to coding and development to delivery can you know that security is taken seriously.  Is the evidence that is being shared with you recent and current?  If not, beware.

• Your supplier should work within security frameworks that help them and their solutions comply with regulations. Do they speak confidently about how they protect the personal data they are holding and how this is supported through compliance with demanding security standards such as ISO27001 and OWASP?  Do they understand the implications for them and you of international regulations such as GDPR? NB it is important that you have a subject matter expert to help you as the buyer to shape and frame your questions.  Don’t wing it and hope that what you are hearing is right.  Validate and have someone in the room to lead this discussion for you!

• Look for suppliers who engage on security outside of their organisation.  It is understood and makes sense that companies and suppliers can have different internal security strategies influenced by the size, sector, geography etc of the business.  The golden thread we are looking for though is to know that the supplier is looking outside of their business and continually learning and improving upon their practices with the help of others.  A key, acid test question here is ‘when was the last time you had a fully independent penetration test of your software?’  Anything other than a straight answer backed up with documented evidence should be challenged rigorously!

• Know exactly where your solution is hosted and where data processing takes place.  Just because a solution is hosted in the cloud does not mean it can be any less secure than if hosted physically on premises.  The advantages of ‘in-cloud’ are numerous (e.g. created resilience and scalability, supported by major infrastructure vendors and dedicated 24×7 support teams) as long as the solution is hosted and managed in secure data centres accredited for stringent standards such as ISO27001, SOC2, and SOC3.  As with any aspect of security ask questions and seek evidence to prove what you are hearing.

As a supplier we would like you to pick our software but we appreciate that we will not always win.  it However, when we are not selected and know that security has NOT been properly considered! – we worry for the organisation, its applicants, its employees and its trustees and the security of their data. 

Too dramatic? When you consider that there have been data breaches from grant management software solutions, its clear that this is a real and continuing issue we all must strive to raise awareness on. As a sector we need to talk more about data security and what we are doing to make our solutions more robust.

Keith Turkington

Grant Management Advocate

P.S. we practice what we preach and have regular INDEPENDENT security reviews of our software.  Yes, we are ISO27001 and cyber security essentials certified but data security is discussed, lived and breathed in EVERYdevelopment, implementation and training activity we do and then validated externally so we know we are not fooling ourselves or taking shortcuts.  Want a cheaper solution?  Buy something insecure and see what the REAL cost is long term.